Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Apache NiFi using non self-signed certificates

avatar
Explorer

Please keep in mind I am in no way savvy in "this stuff" at all, so please bare with me.

Issue: I am still receiving "Your connection is not private" / "NET::ERR_CERT_AUTHORITY_INVALID" when accessing the NiFi web UI that I have installed on a Linux server even though I set it up with a certificate provided by my company (I believe did something wrong here).

Goal: Anyone who tries to access the web UI will be met with the NiFi Login screen (this part is already setup with LDAP) without having to import a certificate instead of the warning/secure ("Your connection is not private") page. I think it's important to know that I have it working fine with self-signed certificate and importing the certificate into my browser.

Summary (Please read this knowing that my understanding of the subject is very minimal):

1. I generated a CSR and keystore.jks (from what I understand contains the private key) with the following command:

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keystore.jks -dname "CN={{domain data here}}" && keytool -certreq -alias server -file nifi.csr -keystore keystore.jks && echo Your certificate signing request is in nifi.csr.  Your keystore file is keystore.jks.  Thanks for using the DigiCert keytool CSR helper.

2. Forwarded the generated CSR to our company CA and they sent back 4 following files:

  1. nifi.cer
  2. nifi.p7b
  3. root-CA.cer
  4. issuing-CA.cer

3. Generated a truststore.jks (with a temp alias and removed it) and imported the nifi.cer into it

keytool -import -alias server -file "nifi.cer" -keystore -truststore.jks

4. Placed the truststore and keystore files into the conf directory of NiFi on the server and updated the # security properties # in nifi.properties to reflect the keystore and truststore files.


Please let me know if I did something wrong or I misunderstood something.

1 ACCEPTED SOLUTION

avatar

Hi Davis,


I imagine the issue is that the server certificate that was signed by your organizational CA doesn't include the (intermediate or root) CA public certificates. It appears they (the signing team) sent those to you in addition as separate files. My expectation is that if you run the command more issuing-CA.cer or more root-CA.cer, you will get an output like this:


-----BEGIN CERTIFICATE-----
MIIE3DCCAsSgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmzELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTEPMA0G
A1UECgwGQXBhY2hlMQ0wCwYDVQQLDAROaUZpMRgwFgYDVQQDDA9FeGFtcGxlIE5p
RmkgQ0ExJjAkBgkqhkiG9w0BCQEWF2V4YW1wbGVAbmlmaS5hcGFjaGUub3JnMB4X
DTE2MTAyNzAwMTAwN1oXDTE5MDcyNDAwMTAwN1owazELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAkNBMRUwEwYDVQQHEwxTYW50YSBNb25pY2ExDzANBgNVBAoTBkFwYWNo
ZTENMAsGA1UECxMETmlGaTEYMBYGA1UEAxMPbmlmaS5hcGFjaGUub3JnMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmYDueTT3NINXSHTymgnAL2ilsbzZ
2nUof3DQ7TofZX9Zn5r1cEcyJc0U9bwJDkPEXXwvN574WiL5txVKV+LZL+nqJSWl
NStvBiMbZ4eM7UuwH9IPm/36yofhkeqCoFBOR4E4OyJtAsTRs7yjp72Yw44EHpV1
xjVxXBnAcCuckKwUk1+9Q/gj/pVmsMfor9bytoqp7fiiYlqQ2qpRVx16++pg2JTI
MClM8++EI68yKwofMDLeJG0PcxxN0lvF+c86UoAzXCKHD7cJyTzTR6PpdBYuOXZr
EBOj9oQvCCaN9nkQ+7ZwTN2+78UKxPfL2BtYsBz/bhjClVmOVzASncKTSwIDAQAB
o1owWDAdBgNVHQ4EFgQUlgL5Hb5T8NkQybhTQUaSbn3kY7MwHwYDVR0jBBgwFoAU
RNigqj+NJB1moO6gLgSf28XrQ8owCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwDQYJ
KoZIhvcNAQELBQADggIBAIWQbwKjSBpsidI1/4XmbY7sX9hqlSG2Y/pZQTci9bWi
ZNdumrziEsvWmw9kqn1kLNJ5Usu8OdwpCJ6FQgt7c3cT4wKhJRLtN3mI7BNiLt3d
VdNCmFXEw6Tjb2iDZiTNcDHjKt9N7fU4VHj56vSWUBHAAlJ/FzBtiIf2Dzvvy94F
0e3uUlEWzW0q5g/RCtJIRdQwkdXxLA8g3JUdDOUGpqZl2ZBanu53KYj27313WSx4
NVI74FKMU3E/g9bmQcAd/aePsn2qP7ZnNMKadCRUOlowLMyfsxxV4RNpQ9mHTK1R
LA1GotHoVSXFeIOeSo1knw9PC10dcNuZYrkY1aOhxji/PYxFXv0eKeO67ZRsHgHv
BXBJ11bPiUUKaTLVXp9Vf67iejJEXVJTaIUH6fGK9YWNqBfs3dEbF8QVUQgBnsSV
MtFTdeCYr2bR9p3FAetDpMO2t889CKSr62mG9tfFuU6nheZdMefIGoK+T3LqmD53
sbbxa4p5/+N6r6GuGmcLGZ5ZqYg+yBzP08O/5RyteiH6hvvshZ1mF2M6xS8/fEVa
DmSPiYB4Nncbgs5o3c/zlg6zPZGeaWHr7vVXIm3KGc0+2NYgT8DHHQ+6I5CMURHD
TC+WEdX9VEUkt68IoUs58i32xzqPYkIE1WaJiXTJcuNWWAN8lTL0y4u1JOGUHDpT
-----END CERTIFICATE-----


If you then run this command openssl x509 -in issuing-CA.cer -text -noout (verifies the certificate is parsable), you should get output like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=Santa Monica, O=Apache, OU=NiFi, CN=Example NiFi CA/emailAddress=example@nifi.apache.org
        Validity
            Not Before: Oct 27 00:10:07 2016 GMT
            Not After : Jul 24 00:10:07 2019 GMT
        Subject: C=US, ST=CA, L=Santa Monica, O=Apache, OU=NiFi, CN=nifi.apache.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:99:80:ee:79:34:f7:34:83:57:48:74:f2:9a:09:
                    c0:2f:68:a5:b1:bc:d9:da:75:28:7f:70:d0:ed:3a:
                    1f:65:7f:59:9f:9a:f5:70:47:32:25:cd:14:f5:bc:
                    09:0e:43:c4:5d:7c:2f:37:9e:f8:5a:22:f9:b7:15:
                    4a:57:e2:d9:2f:e9:ea:25:25:a5:35:2b:6f:06:23:
                    1b:67:87:8c:ed:4b:b0:1f:d2:0f:9b:fd:fa:ca:87:
                    e1:91:ea:82:a0:50:4e:47:81:38:3b:22:6d:02:c4:
                    d1:b3:bc:a3:a7:bd:98:c3:8e:04:1e:95:75:c6:35:
                    71:5c:19:c0:70:2b:9c:90:ac:14:93:5f:bd:43:f8:
                    23:fe:95:66:b0:c7:e8:af:d6:f2:b6:8a:a9:ed:f8:
                    a2:62:5a:90:da:aa:51:57:1d:7a:fb:ea:60:d8:94:
                    c8:30:29:4c:f3:ef:84:23:af:32:2b:0a:1f:30:32:
                    de:24:6d:0f:73:1c:4d:d2:5b:c5:f9:cf:3a:52:80:
                    33:5c:22:87:0f:b7:09:c9:3c:d3:47:a3:e9:74:16:
                    2e:39:76:6b:10:13:a3:f6:84:2f:08:26:8d:f6:79:
                    10:fb:b6:70:4c:dd:be:ef:c5:0a:c4:f7:cb:d8:1b:
                    58:b0:1c:ff:6e:18:c2:95:59:8e:57:30:12:9d:c2:
                    93:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                96:02:F9:1D:BE:53:F0:D9:10:C9:B8:53:41:46:92:6E:7D:E4:63:B3
            X509v3 Authority Key Identifier:
                keyid:44:D8:A0:AA:3F:8D:24:1D:66:A0:EE:A0:2E:04:9F:DB:C5:EB:43:CA

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
         85:90:6f:02:a3:48:1a:6c:89:d2:35:ff:85:e6:6d:8e:ec:5f:
         d8:6a:95:21:b6:63:fa:59:41:37:22:f5:b5:a2:64:d7:6e:9a:
         bc:e2:12:cb:d6:9b:0f:64:aa:7d:64:2c:d2:79:52:cb:bc:39:
         dc:29:08:9e:85:42:0b:7b:73:77:13:e3:02:a1:25:12:ed:37:
         79:88:ec:13:62:2e:dd:dd:55:d3:42:98:55:c4:c3:a4:e3:6f:
         68:83:66:24:cd:70:31:e3:2a:df:4d:ed:f5:38:54:78:f9:ea:
         f4:96:50:11:c0:02:52:7f:17:30:6d:88:87:f6:0f:3b:ef:cb:
         de:05:d1:ed:ee:52:51:16:cd:6d:2a:e6:0f:d1:0a:d2:48:45:
         d4:30:91:d5:f1:2c:0f:20:dc:95:1d:0c:e5:06:a6:a6:65:d9:
         90:5a:9e:ee:77:29:88:f6:ef:7d:77:59:2c:78:35:52:3b:e0:
         52:8c:53:71:3f:83:d6:e6:41:c0:1d:fd:a7:8f:b2:7d:aa:3f:
         b6:67:34:c2:9a:74:24:54:3a:5a:30:2c:cc:9f:b3:1c:55:e1:
         13:69:43:d9:87:4c:ad:51:2c:0d:46:a2:d1:e8:55:25:c5:78:
         83:9e:4a:8d:64:9f:0f:4f:0b:5d:1d:70:db:99:62:b9:18:d5:
         a3:a1:c6:38:bf:3d:8c:45:5e:fd:1e:29:e3:ba:ed:94:6c:1e:
         01:ef:05:70:49:d7:56:cf:89:45:0a:69:32:d5:5e:9f:55:7f:
         ae:e2:7a:32:44:5d:52:53:68:85:07:e9:f1:8a:f5:85:8d:a8:
         17:ec:dd:d1:1b:17:c4:15:51:08:01:9e:c4:95:32:d1:53:75:
         e0:98:af:66:d1:f6:9d:c5:01:eb:43:a4:c3:b6:b7:cf:3d:08:
         a4:ab:eb:69:86:f6:d7:c5:b9:4e:a7:85:e6:5d:31:e7:c8:1a:
         82:be:4f:72:ea:98:3e:77:b1:b6:f1:6b:8a:79:ff:e3:7a:af:
         a1:ae:1a:67:0b:19:9e:59:a9:88:3e:c8:1c:cf:d3:c3:bf:e5:
         1c:ad:7a:21:fa:86:fb:ec:85:9d:66:17:63:3a:c5:2f:3f:7c:
         45:5a:0e:64:8f:89:80:78:36:77:1b:82:ce:68:dd:cf:f3:96:
         0e:b3:3d:91:9e:69:61:eb:ee:f5:57:22:6d:ca:19:cd:3e:d8:
         d6:20:4f:c0:c7:1d:0f:ba:23:90:8c:51:11:c3:4c:2f:96:11:
         d5:fd:54:45:24:b7:af:08:a1:4b:39:f2:2d:f6:c7:3a:8f:62:
         42:04:d5:66:89:89:74:c9:72:e3:56:58:03:7c:95:32:f4:cb:
         8b:b5:24:e1:94:1c:3a:53


The next step is to concatenate all the public certificates into a single file so it can be imported into the keystore.jks. That way when the application (NiFi) presents its public certificate to the browser, it also presents the "certificate chain" that shows NiFi cert (signed by) Issuing CA (signed by) Root CA, and (hopefully) Root CA is already present in the client truststores (i.e. the browser/OS), or is signed by a global CA certificate (a commercial entity like Verisign, Comodo, etc.) that is already in those truststores.

Basically the steps you need to take are:

  1. Copy the contents of all three "*.cer" files you received into a single text file (include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines for each) called "chain.pem". It should look like:
    1. -----BEGIN CERTIFICATE-----
      Abcd...
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      1234...
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      Wxyz...
      -----END CERTIFICATE-----
  2. Import this signed certificate chain into the keystore using the same alias as the private key that already exists (appears to be server based on your question above)
    1. keytool -import -trustcacerts -alias server -file chain.pem -keystore keystore.jks


View solution in original post

5 REPLIES 5

avatar
Explorer

@Andy LoPresto

Sorry to bother you, but I see that you have answered other posts that have similar issues to mine and I was hoping you could help out. Thanks!

avatar

Hi Davis,


I imagine the issue is that the server certificate that was signed by your organizational CA doesn't include the (intermediate or root) CA public certificates. It appears they (the signing team) sent those to you in addition as separate files. My expectation is that if you run the command more issuing-CA.cer or more root-CA.cer, you will get an output like this:


-----BEGIN CERTIFICATE-----
MIIE3DCCAsSgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmzELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTEPMA0G
A1UECgwGQXBhY2hlMQ0wCwYDVQQLDAROaUZpMRgwFgYDVQQDDA9FeGFtcGxlIE5p
RmkgQ0ExJjAkBgkqhkiG9w0BCQEWF2V4YW1wbGVAbmlmaS5hcGFjaGUub3JnMB4X
DTE2MTAyNzAwMTAwN1oXDTE5MDcyNDAwMTAwN1owazELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAkNBMRUwEwYDVQQHEwxTYW50YSBNb25pY2ExDzANBgNVBAoTBkFwYWNo
ZTENMAsGA1UECxMETmlGaTEYMBYGA1UEAxMPbmlmaS5hcGFjaGUub3JnMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmYDueTT3NINXSHTymgnAL2ilsbzZ
2nUof3DQ7TofZX9Zn5r1cEcyJc0U9bwJDkPEXXwvN574WiL5txVKV+LZL+nqJSWl
NStvBiMbZ4eM7UuwH9IPm/36yofhkeqCoFBOR4E4OyJtAsTRs7yjp72Yw44EHpV1
xjVxXBnAcCuckKwUk1+9Q/gj/pVmsMfor9bytoqp7fiiYlqQ2qpRVx16++pg2JTI
MClM8++EI68yKwofMDLeJG0PcxxN0lvF+c86UoAzXCKHD7cJyTzTR6PpdBYuOXZr
EBOj9oQvCCaN9nkQ+7ZwTN2+78UKxPfL2BtYsBz/bhjClVmOVzASncKTSwIDAQAB
o1owWDAdBgNVHQ4EFgQUlgL5Hb5T8NkQybhTQUaSbn3kY7MwHwYDVR0jBBgwFoAU
RNigqj+NJB1moO6gLgSf28XrQ8owCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwDQYJ
KoZIhvcNAQELBQADggIBAIWQbwKjSBpsidI1/4XmbY7sX9hqlSG2Y/pZQTci9bWi
ZNdumrziEsvWmw9kqn1kLNJ5Usu8OdwpCJ6FQgt7c3cT4wKhJRLtN3mI7BNiLt3d
VdNCmFXEw6Tjb2iDZiTNcDHjKt9N7fU4VHj56vSWUBHAAlJ/FzBtiIf2Dzvvy94F
0e3uUlEWzW0q5g/RCtJIRdQwkdXxLA8g3JUdDOUGpqZl2ZBanu53KYj27313WSx4
NVI74FKMU3E/g9bmQcAd/aePsn2qP7ZnNMKadCRUOlowLMyfsxxV4RNpQ9mHTK1R
LA1GotHoVSXFeIOeSo1knw9PC10dcNuZYrkY1aOhxji/PYxFXv0eKeO67ZRsHgHv
BXBJ11bPiUUKaTLVXp9Vf67iejJEXVJTaIUH6fGK9YWNqBfs3dEbF8QVUQgBnsSV
MtFTdeCYr2bR9p3FAetDpMO2t889CKSr62mG9tfFuU6nheZdMefIGoK+T3LqmD53
sbbxa4p5/+N6r6GuGmcLGZ5ZqYg+yBzP08O/5RyteiH6hvvshZ1mF2M6xS8/fEVa
DmSPiYB4Nncbgs5o3c/zlg6zPZGeaWHr7vVXIm3KGc0+2NYgT8DHHQ+6I5CMURHD
TC+WEdX9VEUkt68IoUs58i32xzqPYkIE1WaJiXTJcuNWWAN8lTL0y4u1JOGUHDpT
-----END CERTIFICATE-----


If you then run this command openssl x509 -in issuing-CA.cer -text -noout (verifies the certificate is parsable), you should get output like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=Santa Monica, O=Apache, OU=NiFi, CN=Example NiFi CA/emailAddress=example@nifi.apache.org
        Validity
            Not Before: Oct 27 00:10:07 2016 GMT
            Not After : Jul 24 00:10:07 2019 GMT
        Subject: C=US, ST=CA, L=Santa Monica, O=Apache, OU=NiFi, CN=nifi.apache.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:99:80:ee:79:34:f7:34:83:57:48:74:f2:9a:09:
                    c0:2f:68:a5:b1:bc:d9:da:75:28:7f:70:d0:ed:3a:
                    1f:65:7f:59:9f:9a:f5:70:47:32:25:cd:14:f5:bc:
                    09:0e:43:c4:5d:7c:2f:37:9e:f8:5a:22:f9:b7:15:
                    4a:57:e2:d9:2f:e9:ea:25:25:a5:35:2b:6f:06:23:
                    1b:67:87:8c:ed:4b:b0:1f:d2:0f:9b:fd:fa:ca:87:
                    e1:91:ea:82:a0:50:4e:47:81:38:3b:22:6d:02:c4:
                    d1:b3:bc:a3:a7:bd:98:c3:8e:04:1e:95:75:c6:35:
                    71:5c:19:c0:70:2b:9c:90:ac:14:93:5f:bd:43:f8:
                    23:fe:95:66:b0:c7:e8:af:d6:f2:b6:8a:a9:ed:f8:
                    a2:62:5a:90:da:aa:51:57:1d:7a:fb:ea:60:d8:94:
                    c8:30:29:4c:f3:ef:84:23:af:32:2b:0a:1f:30:32:
                    de:24:6d:0f:73:1c:4d:d2:5b:c5:f9:cf:3a:52:80:
                    33:5c:22:87:0f:b7:09:c9:3c:d3:47:a3:e9:74:16:
                    2e:39:76:6b:10:13:a3:f6:84:2f:08:26:8d:f6:79:
                    10:fb:b6:70:4c:dd:be:ef:c5:0a:c4:f7:cb:d8:1b:
                    58:b0:1c:ff:6e:18:c2:95:59:8e:57:30:12:9d:c2:
                    93:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                96:02:F9:1D:BE:53:F0:D9:10:C9:B8:53:41:46:92:6E:7D:E4:63:B3
            X509v3 Authority Key Identifier:
                keyid:44:D8:A0:AA:3F:8D:24:1D:66:A0:EE:A0:2E:04:9F:DB:C5:EB:43:CA

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
         85:90:6f:02:a3:48:1a:6c:89:d2:35:ff:85:e6:6d:8e:ec:5f:
         d8:6a:95:21:b6:63:fa:59:41:37:22:f5:b5:a2:64:d7:6e:9a:
         bc:e2:12:cb:d6:9b:0f:64:aa:7d:64:2c:d2:79:52:cb:bc:39:
         dc:29:08:9e:85:42:0b:7b:73:77:13:e3:02:a1:25:12:ed:37:
         79:88:ec:13:62:2e:dd:dd:55:d3:42:98:55:c4:c3:a4:e3:6f:
         68:83:66:24:cd:70:31:e3:2a:df:4d:ed:f5:38:54:78:f9:ea:
         f4:96:50:11:c0:02:52:7f:17:30:6d:88:87:f6:0f:3b:ef:cb:
         de:05:d1:ed:ee:52:51:16:cd:6d:2a:e6:0f:d1:0a:d2:48:45:
         d4:30:91:d5:f1:2c:0f:20:dc:95:1d:0c:e5:06:a6:a6:65:d9:
         90:5a:9e:ee:77:29:88:f6:ef:7d:77:59:2c:78:35:52:3b:e0:
         52:8c:53:71:3f:83:d6:e6:41:c0:1d:fd:a7:8f:b2:7d:aa:3f:
         b6:67:34:c2:9a:74:24:54:3a:5a:30:2c:cc:9f:b3:1c:55:e1:
         13:69:43:d9:87:4c:ad:51:2c:0d:46:a2:d1:e8:55:25:c5:78:
         83:9e:4a:8d:64:9f:0f:4f:0b:5d:1d:70:db:99:62:b9:18:d5:
         a3:a1:c6:38:bf:3d:8c:45:5e:fd:1e:29:e3:ba:ed:94:6c:1e:
         01:ef:05:70:49:d7:56:cf:89:45:0a:69:32:d5:5e:9f:55:7f:
         ae:e2:7a:32:44:5d:52:53:68:85:07:e9:f1:8a:f5:85:8d:a8:
         17:ec:dd:d1:1b:17:c4:15:51:08:01:9e:c4:95:32:d1:53:75:
         e0:98:af:66:d1:f6:9d:c5:01:eb:43:a4:c3:b6:b7:cf:3d:08:
         a4:ab:eb:69:86:f6:d7:c5:b9:4e:a7:85:e6:5d:31:e7:c8:1a:
         82:be:4f:72:ea:98:3e:77:b1:b6:f1:6b:8a:79:ff:e3:7a:af:
         a1:ae:1a:67:0b:19:9e:59:a9:88:3e:c8:1c:cf:d3:c3:bf:e5:
         1c:ad:7a:21:fa:86:fb:ec:85:9d:66:17:63:3a:c5:2f:3f:7c:
         45:5a:0e:64:8f:89:80:78:36:77:1b:82:ce:68:dd:cf:f3:96:
         0e:b3:3d:91:9e:69:61:eb:ee:f5:57:22:6d:ca:19:cd:3e:d8:
         d6:20:4f:c0:c7:1d:0f:ba:23:90:8c:51:11:c3:4c:2f:96:11:
         d5:fd:54:45:24:b7:af:08:a1:4b:39:f2:2d:f6:c7:3a:8f:62:
         42:04:d5:66:89:89:74:c9:72:e3:56:58:03:7c:95:32:f4:cb:
         8b:b5:24:e1:94:1c:3a:53


The next step is to concatenate all the public certificates into a single file so it can be imported into the keystore.jks. That way when the application (NiFi) presents its public certificate to the browser, it also presents the "certificate chain" that shows NiFi cert (signed by) Issuing CA (signed by) Root CA, and (hopefully) Root CA is already present in the client truststores (i.e. the browser/OS), or is signed by a global CA certificate (a commercial entity like Verisign, Comodo, etc.) that is already in those truststores.

Basically the steps you need to take are:

  1. Copy the contents of all three "*.cer" files you received into a single text file (include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines for each) called "chain.pem". It should look like:
    1. -----BEGIN CERTIFICATE-----
      Abcd...
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      1234...
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      Wxyz...
      -----END CERTIFICATE-----
  2. Import this signed certificate chain into the keystore using the same alias as the private key that already exists (appears to be server based on your question above)
    1. keytool -import -trustcacerts -alias server -file chain.pem -keystore keystore.jks


avatar
Explorer

Awesome, that worked! Thanks for the help, I appreciate it!

avatar
Explorer

Hey @Andy LoPresto, now that I have this secure instance setup how would I go about Site-to-Site communication with another secure NiFi instance?

These are the list of certificates I have:

NiFi Instance A:

  • nifi.cer
  • nifi.p7b
  • root-CA.cer
  • issuing-CA.cer

Nifi Instance B:

  • nifi.cer
  • nifi.p7b
  • root-CA.cer
  • issuing-CA.cer

Do you know of any resources that would help me with the subject of matter at hand and what you would call it (SSL? TLS? Installing Certificates?)? I am having trouble understanding what my issue is to know what to research to learn enough so that I can avoid asking questions that have already been answered.

Thanks!

avatar
New Contributor

How to download the tool, is there a free one?